Storing and verifying the integrity of event related data

ABSTRACT

The present invention extends to methods, systems, and computer program products for storing and validating the integrity of event related information. To facilitate auditing and traceability, raw signals, normalized signals, detected events, event expirations, and event notifications can be stored in a queryable distributed ledger (e.g., a blockchain). Personal information can be stripped (or otherwise rendered inert, for example, unrecognizable, unreproducible, etc.) prior to storage into the distributed ledger minimizing the possibility of a person being identified. Ledger data can be used to verify actual data as well as for forensics purposes, such as, to audit data, recreate events, etc., in view of an error or inconsistency to investigate, diagnose, remediate, etc.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims the benefit of U.S. Provisional PatentApplication Ser. No. 62/628,866, entitled “Multi Source Validation”,filed Feb. 9, 2018 which is incorporated herein in its entirety. Thisapplication claims the benefit of U.S. Provisional Patent ApplicationSer. No. 62/654,274, entitled “Detecting Events From Multiple Signals”,filed Apr. 6, 2018 which is incorporated herein in its entirety. Thisapplication claims the benefit of U.S. Provisional Patent ApplicationSer. No. 62/654,277 entitled, “Validating Possible Events WithAdditional Signals”, filed Apr. 6, 2018 which is incorporated herein inits entirety. This application claims the benefit of U.S. ProvisionalPatent Application Ser. No. 62/660,912, entitled “Using DistributedLedger For Auditability/Traceability Of Signals And Detected Events”,filed Apr. 20, 2018, which is incorporated herein in its entirety. Thisapplication claims the benefit of U.S. Provisional Patent ApplicationSer. No. 62/664,001, entitled, “Normalizing Different Types Of IngestedSignals Into A Common Format”, filed Apr. 27, 2018, which isincorporated herein in its entirety.

This application is related to U.S. Provisional Patent Application Ser.No. 62/667,616, entitled, “Normalizing Different Types Of IngestedSignals Into A Common Format”, filed May 7, 2018, which is incorporatedherein in its entirety.

This application is related to U.S. Provisional Patent Application Ser.No. 62/682,176 entitled “Detecting An Event From Multiple Sources”,filed Jun. 8, 2018 which is incorporated herein in its entirety.

This application claims the benefit of U.S. Provisional PatentApplication Ser. No. 62/682,177 entitled “Detecting An Event FromMulti-Source Event Probability”, filed Jun. 8, 2018 which isincorporated herein in its entirety.

BACKGROUND 1. Background and Relevant Art

Many events are related to human suffering and possibly even humandeath, such as, for example, accidents, shootings, natural disasters,etc. Entities being notified of such events (e.g., drivers, firstresponders, disaster relief organizations, etc.) can tailor theirresponse based on circumstances of an event. Thus, entities can rely onevent notification when allocating and expending resources. Errors orinconsistencies in event detection and notification may cause entitiesto respond inappropriately, waste resources, etc. Event detection andnotification systems can take a variety of measures to reduce thepossibility of introducing errors or inconsistencies into eventdetection and notification processes. However, inevitably errors and/orinconsistencies can occur from time to time.

BRIEF SUMMARY

Examples extend to methods, systems, and computer program products forstoring and verifying event related data. In one aspect, data is storedto a distributed ledger (e.g., block chain) during event evolution ofevent detection. One or more raw signals are received. The one or moreraw signals are stored a distributed ledger

One or more normalized signals area formulated from the one or more rawsignals. The one or more normalized signals are stored in thedistributed ledger. An event is detected from the one or more normalizedsignals. The event is stored in the distributed ledger. An eventnotification is created for the event. The event notification is storedin the distributed ledger. The event notification is sent to at leastone entity.

In another aspect, event related data is verified through reference tothe distributed ledger. An event notification is received. The eventnotification notifies an entity of an event of interest to the entity.The event having been detected from one or more normalized signalsnormalized from a corresponding one or more raw signals.

The event notification is audited. Auditing includes accessing one ormore raw signals used to derive the one or more normalized signals, theone or more normalized signals, the event, and the event notificationfrom a distributed ledger. Auditing includes verifying the integrity ofthe one or more raw signals, the one or more normalized signals, theevent, and the event notification through reference to the distributedledger. An entity resource is allocated based on being notified of theoccurrence of the event and the verified integrity of the one or moreraw signals, the one or more normalized signals, the event, and theevent notification.

This summary is provided to introduce a selection of concepts in asimplified form that are further described below in the DetailedDescription. This Summary is not intended to identify key features oressential features of the claimed subject matter, nor is it intended tobe used as an aid in determining the scope of the claimed subjectmatter.

Additional features and advantages will be set forth in the descriptionwhich follows, and in part will be obvious from the description, or maybe learned by practice. The features and advantages may be realized andobtained by means of the instruments and combinations particularlypointed out in the appended claims. These and other features andadvantages will become more fully apparent from the followingdescription and appended claims, or may be learned by practice as setforth hereinafter.

BRIEF DESCRIPTION OF THE DRAWINGS

In order to describe the manner in which the above-recited and otheradvantages and features can be obtained, a more particular descriptionwill be rendered by reference to specific implementations thereof whichare illustrated in the appended drawings. Understanding that thesedrawings depict only some implementations and are not therefore to beconsidered to be limiting of its scope, implementations will bedescribed and explained with additional specificity and detail throughthe use of the accompanying drawings in which:

FIG. 1A illustrates an example computer architecture that facilitatesnormalizing ingesting signals.

FIG. 1B illustrates an example computer architecture that facilitatesdetecting events from normalized signals.

FIG. 2 illustrates an example computer architecture that facilitatesstoring signal and event related data in a distributed ledger.

FIG. 3 illustrates a flow chart of an example method for storing signaland event related data in a distributed ledger.

FIG. 4 illustrates an example computer architecture that facilitatesvalidating an event.

FIG. 5 illustrates a flow chart of an example method for validating anevent.

DETAILED DESCRIPTION

Examples extend to methods, systems, and computer program products forstoring and verifying the integrity of event related data.

Entities (e.g., parents, guardians, teachers, social workers, firstresponders, hospitals, delivery services, media outlets, governmententities, etc.) desire to be made aware of relevant events as close aspossible to the events' occurrence (i.e., as close as possible to“moment zero”). Event relevancy can differ between entities and may bebased on entity specific desires. For example, parents may be interestedin any police presence at or near their children's school. However, theparents are not necessarily interested in police presence in otherplaces. As another example, an ambulance service may be interested inmotor vehicle accidents with injuries that occur within their area ofoperation. However, the ambulance service is not necessarily interestedin accidents without injuries or accidents that occur outside their areaof operation.

In general, signal ingestion modules ingest different types of rawstructured and/or raw unstructured signals on an ongoing basis.Different types of signals can include different data media types anddifferent data formats, including Web signals. Different types ofsignals can include different data media types and different dataformats. Data media types can include audio, video, image, and text.Different formats can include text in XML, text in JavaScript ObjectNotation (JSON), text in RSS feed, plain text, video stream in DynamicAdaptive Streaming over HTTP (DASH), video stream in HTTP Live Streaming(HLS), video stream in Real-Time Messaging Protocol (RTMP), otherMultipurpose Internet Mail Extensions (MIME) types, etc. Handlingdifferent types and formats of data introduces inefficiencies intosubsequent event detection processes, including when determining ifdifferent signals relate to the same event.

Accordingly, the signal ingestion modules can normalize raw signalsacross multiple data dimensions to form normalized signals. Eachdimension can be a scalar value or a vector of values. In one aspect,raw signals are normalized into normalized signals having a Time,Location, Context (or “TLC”) dimensions.

A Time (T) dimension can include a time of origin or alternatively a“event time” of a signal. A Location (L) dimension can include alocation anywhere across a geographic area, such as, a country (e.g.,the United States), a State, a defined area, an impacted area, an areadefined by a geo cell, an address, etc.

A Context (C) dimension indicates circumstances surroundingformation/origination of a raw signal in terms that facilitateunderstanding and assessment of the raw signal. The Context (C)dimension of a raw signal can be derived from express as well asinferred signal features of the raw signal.

Signal ingestion modules can include one or more single sourceclassifiers. A single source classifier can compute a single sourceprobability for a raw signal from features of the raw signal. A singlesource probability can reflect a mathematical probability orapproximation of a mathematical probability (e.g., a percentage between0%-100%) of an event actually occurring. A single source classifier canbe configured to compute a single source probability for a single eventtype or to compute a single source probability for each of a pluralityof different event types. A single source classifier can compute asingle source probability using artificial intelligence, machinelearning, neural networks, logic, heuristics, etc.

As such, single source probabilities and corresponding probabilitydetails can represent a Context (C) dimension. Probability details canindicate (e.g., can include a hash field indicating) a probabilisticmodel and (express and/or inferred) signal features considered in asignal source probability calculation.

Thus, per signal type, signal ingestion modules determine Time (T), aLocation (L), and a Context (C) dimensions associated with a signal.Different ingestion modules can be utilized/tailored to determine T, L,and C dimensions associated with different signal types. Normalized (or“TLC”) signals can be forwarded to an event detection infrastructure.When signals are normalized across common dimensions subsequent eventdetection is more efficient and more effective.

Normalization of ingestion signals can include dimensionality reduction.Generally, “transdimensionality” transformations can be structured anddefined in a “TLC” dimensional model. Signal ingestion modules can applythe “transdimensionality” transformations to generic source data in rawsignals to re-encode the source data into normalized data having lowerdimensionality. Thus, each normalized signal can include a T vector, anL vector, and a C vector. At lower dimensionality, the complexity ofmeasuring “distances” between dimensional vectors across differentnormalized signals is reduced.

Concurrently with signal ingestion, an event detection infrastructureconsiders features of different combinations of normalized signals toattempt to identify events of interest to various parties. For example,the event detection infrastructure can determine that features ofmultiple different normalized signals collectively indicate an event ofinterest to one or more parties. Alternately, the event detectioninfrastructure can determine that features of one or more normalizedsignals indicate a possible event of interest to one or more parties.The event detection infrastructure then determines that features of oneor more other normalized signals validate the possible event as anactual event of interest to the one or more parties. Signal features caninclude: signal type, signal source, signal content, Time (T) dimension,Location (L) dimension, Context (C) dimension, other circumstances ofsignal creation, etc.

To facilitate auditing and traceability, raw signals, normalizedsignals, detected events, event expirations, and event notifications canbe stored in a queryable distributed ledger (e.g., a blockchain). Thedistributed ledger can implement anti tampering mechanisms based oncryptography to significantly limit, and potentially eliminate,alteration of data stored in the distributed ledger. Personalinformation can be stripped (or otherwise rendered inert, for example,unrecognizable, unreproducible, etc.) prior to storage into thedistributed ledger. Preventing access to personal information minimizesthe possibility of a person being identified. Personal information canbe replaced with other identifiers, such as, hashes.

Generally, raw signals, normalized signals, events, event expirations,event notifications, etc. can be audited and issues investigated,diagnosed and remediated through reference to the distributed ledger.When errors or inconsistencies occur during processing, detection, ordelivery, of raw signals, normalized signals, events, or notifications,the ledger can be queried to access relevant data. The relevant data canbe used for forensics purposes, for example, to audit data, recreateevents, etc., in view of an error or inconsistency to investigate,diagnose, remediate, etc. For example, when an inconsistency isidentified for a detected event (e.g., an incorrect time is assigned toan event), the event and the set of signals providing the basis fordetecting the event can be accessed from the distributed ledger. Theevent and the set of signals can be examined. The set of signals canalso be used to recreate an event purported to be the detected event.The contents of the recreated event can be compared to the detectedevent.

Accordingly, aspects of the invention provide transparency intoprocessing raw signals and normalized signals, event detection, eventnotification, and event expiration without compromising personalinformation.

In this description and the following claims, “personal information” isdescribed as one or more portions of data that when consideredindividually or in the aggregate relate to the identity of a naturalperson or can be used to identify a natural person. Personal informationis defined to include personally identifiable information (PII),sensitive personal information (SPI), or other information that can beused on its own or with other information to identify, contact, orlocate a single person, or to identify an individual in context.Personal information can include but is not limited to: full name, firstname, last name, home address (or portions thereof), email address,nation identification number, passport number, vehicle registrationplate, driver's license, face, fingerprints, handwriting, credit cardnumbers, digital identity, date of birth, birthplace, login name, socialmedia identifier, mobile telephone number, nickname, age, gender,employer, school name, criminal record, job position, etc.

Implementations can comprise or utilize a special purpose orgeneral-purpose computer including computer hardware, such as, forexample, one or more computer and/or hardware processors (including anyof Central Processing Units (CPUs), and/or Graphical Processing Units(GPUs), general-purpose GPUs (GPGPUs), Field Programmable Gate Arrays(FPGAs), application specific integrated circuits (ASICs), TensorProcessing Units (TPUs)) and system memory, as discussed in greaterdetail below. Implementations also include physical and othercomputer-readable media for carrying or storing computer-executableinstructions and/or data structures. Such computer-readable media can beany available media that can be accessed by a general purpose or specialpurpose computer system. Computer-readable media that storecomputer-executable instructions are computer storage media (devices).Computer-readable media that carry computer-executable instructions aretransmission media. Thus, by way of example, and not limitation,implementations can comprise at least two distinctly different kinds ofcomputer-readable media: computer storage media (devices) andtransmission media.

Computer storage media (devices) includes RAM, ROM, EEPROM, CD-ROM,Solid State Drives (“SSDs”) (e.g., RAM-based or Flash-based), ShingledMagnetic Recording (“SMR”) devices, Flash memory, phase-change memory(“PCM”), other types of memory, other optical disk storage, magneticdisk storage or other magnetic storage devices, or any other mediumwhich can be used to store desired program code means in the form ofcomputer-executable instructions or data structures and which can beaccessed by a general purpose or special purpose computer.

In one aspect, one or more processors are configured to executeinstructions (e.g., computer-readable instructions, computer-executableinstructions, etc.) to perform any of a plurality of describedoperations. The one or more processors can access information fromsystem memory and/or store information in system memory. The one or moreprocessors can (e.g., automatically) transform information betweendifferent formats, such as, for example, between any of: raw signals,personal information, profile IDs, signal content, images, audio clips,text, normalized signals, hashes, obscured personal information, events,event notifications, event expirations, distributed ledgers, distributedledger blocks, distributed ledger links, queries, ledger data,recreations, simulations, event evolutions, event verification requests,verifications, resource allocations, etc.

System memory can be coupled to the one or more processors and can storeinstructions (e.g., computer-readable instructions, computer-executableinstructions, etc.) executed by the one or more processors. The systemmemory can also be configured to store any of a plurality of other typesof data generated and/or transformed by the described components, suchas, for example, raw signals, personal information, profile IDs, signalcontent, images, audio clips, text, normalized signals, hashes, obscuredpersonal information, events, event notifications, event expirations,distributed ledgers, distributed ledger blocks, distributed ledgerlinks, queries, ledger data, recreations, simulations, event evolutions,event verification requests, verifications, resource allocations, etc.

A “network” is defined as one or more data links that enable thetransport of electronic data between computer systems and/or modulesand/or other electronic devices. When information is transferred orprovided over a network or another communications connection (eitherhardwired, wireless, or a combination of hardwired or wireless) to acomputer, the computer properly views the connection as a transmissionmedium. Transmissions media can include a network and/or data linkswhich can be used to carry desired program code means in the form ofcomputer-executable instructions or data structures and which can beaccessed by a general purpose or special purpose computer. Combinationsof the above should also be included within the scope ofcomputer-readable media.

Further, upon reaching various computer system components, program codemeans in the form of computer-executable instructions or data structurescan be transferred automatically from transmission media to computerstorage media (devices) (or vice versa). For example,computer-executable instructions or data structures received over anetwork or data link can be buffered in RAM within a network interfacemodule (e.g., a “NIC”), and then eventually transferred to computersystem RAM and/or to less volatile computer storage media (devices) at acomputer system. Thus, it should be understood that computer storagemedia (devices) can be included in computer system components that also(or even primarily) utilize transmission media.

Computer-executable instructions comprise, for example, instructions anddata which, in response to execution at a processor, cause a generalpurpose computer, special purpose computer, or special purposeprocessing device to perform a certain function or group of functions.The computer executable instructions may be, for example, binaries,intermediate format instructions such as assembly language, or evensource code. Although the subject matter has been described in languagespecific to structural features and/or methodological acts, it is to beunderstood that the subject matter defined in the appended claims is notnecessarily limited to the described features or acts described above.Rather, the described features and acts are disclosed as example formsof implementing the claims.

Those skilled in the art will appreciate that the described aspects maybe practiced in network computing environments with many types ofcomputer system configurations, including, personal computers, desktopcomputers, laptop computers, message processors, hand-held devices,wearable devices, multicore processor systems, multi-processor systems,microprocessor-based or programmable consumer electronics, network PCs,minicomputers, mainframe computers, mobile telephones, PDAs, tablets,routers, switches, and the like. The described aspects may also bepracticed in distributed system environments where local and remotecomputer systems, which are linked (either by hardwired data links,wireless data links, or by a combination of hardwired and wireless datalinks) through a network, both perform tasks. In a distributed systemenvironment, program modules may be located in both local and remotememory storage devices.

Further, where appropriate, functions described herein can be performedin one or more of: hardware, software, firmware, digital components, oranalog components. For example, one or more Field Programmable GateArrays (FPGAs) and/or one or more application specific integratedcircuits (ASICs) and/or one or more Tensor Processing Units (TPUs) canbe programmed to carry out one or more of the systems and proceduresdescribed herein. Hardware, software, firmware, digital components, oranalog components can be specifically tailor-designed for a higher speeddetection or artificial intelligence that can enable signal processing.In another example, computer code is configured for execution in one ormore processors, and may include hardware logic/electrical circuitrycontrolled by the computer code. These example devices are providedherein purposes of illustration, and are not intended to be limiting.Embodiments of the present disclosure may be implemented in furthertypes of devices.

The described aspects can also be implemented in cloud computingenvironments. In this description and the following claims, “cloudcomputing” is defined as a model for enabling on-demand network accessto a shared pool of configurable computing resources. For example, cloudcomputing can be employed in the marketplace to offer ubiquitous andconvenient on-demand access to the shared pool of configurable computingresources (e.g., compute resources, networking resources, and storageresources). The shared pool of configurable computing resources can beprovisioned via virtualization and released with low effort or serviceprovider interaction, and then scaled accordingly.

A cloud computing model can be composed of various characteristics suchas, for example, on-demand self-service, broad network access, resourcepooling, rapid elasticity, measured service, and so forth. A cloudcomputing model can also expose various service models, such as, forexample, Software as a Service (“SaaS”), Platform as a Service (“PaaS”),and Infrastructure as a Service (“IaaS”). A cloud computing model canalso be deployed using different deployment models such as privatecloud, community cloud, public cloud, hybrid cloud, and so forth. Inthis description and in the following claims, a “cloud computingenvironment” is an environment in which cloud computing is employed.

In this description and the following claims, a “geo cell” is defined asa piece of “cell” in a spatial grid in any form. In one aspect, geocells are arranged in a hierarchical structure. Cells of differentgeometries can be used.

A “geohash” is an example of a “geo cell”.

In this description and the following claims, “geohash” is defined as ageocoding system which encodes a geographic location into a short stringof letters and digits. Geohash is a hierarchical spatial data structurewhich subdivides space into buckets of grid shape (e.g., a square).Geohashes offer properties like arbitrary precision and the possibilityof gradually removing characters from the end of the code to reduce itssize (and gradually lose precision). As a consequence of the gradualprecision degradation, nearby places will often (but not always) presentsimilar prefixes. The longer a shared prefix is, the closer the twoplaces are. geo cells can be used as a unique identifier and toapproximate point data (e.g., in databases).

In one aspect, a “geohash” is used to refer to a string encoding of anarea or point on the Earth. The area or point on the Earth may berepresented (among other possible coordinate systems) as alatitude/longitude or Easting/Northing—the choice of which is dependenton the coordinate system chosen to represent an area or point on theEarth. geo cell can refer to an encoding of this area or point, wherethe geo cell may be a binary string comprised of 0s and 1s correspondingto the area or point, or a string comprised of 0s, 1s, and a ternarycharacter (such as X)—which is used to refer to a don't care character(0 or 1). A geo cell can also be represented as a string encoding of thearea or point, for example, one possible encoding is base-32, whereevery 5 binary characters are encoded as an ASCII character.

Depending on latitude, the size of an area defined at a specified geocell precision can vary. When geohash is used for spatial indexing, theareas defined at various geo cell precisions are approximately:

TABLE 1 Example Areas at Various Geohash Precisions GeohashLength/Precision width × height 1 5,009.4 km × 4,992.6 km 2 1,252.3 km ×624.1 km 3 156.5 km × 156 km 4 39.1 km × 19.5 km 5 4.9 km × 4.9 km 6 1.2km × 609.4 m 7 152.9 m × 152.4 m 8 38.2 m × 19 m 9 4.8 m × 4.8 m 10  1.2m × 59.5 cm 11  14.9 cm × 14.9 cm 12  3.7 cm × 1.9 cmOther geo cell geometries, such as, hexagonal tiling, triangular tiling,etc. are also possible. For example, the H3 geospatial indexing systemis a multi-precision hexagonal tiling of a sphere (such as the Earth)indexed with hierarchical linear indexes.

In another aspect, geo cells are a hierarchical decomposition of asphere (such as the Earth) into representations of regions or pointsbased a Hilbert curve (e.g., the S2 hierarchy or other hierarchies).Regions/points of the sphere can be projected into a cube and each faceof the cube includes a quad-tree where the sphere point is projectedinto. After that, transformations can be applied and the spacediscretized. The geo cells are then enumerated on a Hilbert Curve (aspace-filling curve that converts multiple dimensions into one dimensionand preserves the approximate locality).

Due to the hierarchical nature of geo cells, any signal, event, entity,etc., associated with a geo cell of a specified precision is by defaultassociated with any less precise geo cells that contain the geo cell.For example, if a signal is associated with a geo cell of precision 9,the signal is by default also associated with corresponding geo cells ofprecisions 1, 2, 3, 4, 5, 6, 7, and 8. Similar mechanisms are applicableto other tiling and geo cell arrangements. For example, S2 has a celllevel hierarchy ranging from level zero (85,011,012 km²) to level 30(between 0.48 cm² to 0.96 cm²).

Signal Ingestion and Normalization

Signal ingestion modules ingest a variety of raw structured and/or rawunstructured signals on an on going basis and in essentially real-time.Raw signals can include social posts, live broadcasts, traffic camerafeeds, other camera feeds (e.g., from other public cameras or from CCTVcameras), listening device feeds, 911 calls, weather data, plannedevents, IoT device data, crowd sourced traffic and road information,satellite data, air quality sensor data, smart city sensor data, publicradio communication (e.g., among first responders and/or dispatchers,between air traffic controllers and pilots), etc. The content of rawsignals can include images, video, audio, text, etc.

In general, signal normalization can prepare (or pre-process) rawsignals into normalized signals to increase efficiency and effectivenessof subsequent computing activities, such as, event detection, eventnotification, etc., that utilize the normalized signals. For example,signal ingestion modules can normalize raw signals, including rawstreaming signals, into normalized signals having a Time, Location, andContext (TLC) dimensions. An event detection infrastructure can use theTime, Location, and Content dimensions to more efficiently andeffectively detect events.

Per signal type and signal content, different normalization modules canbe used to extract, derive, infer, etc. Time, Location, and Contextdimensions from/for a raw signal. For example, one set of normalizationmodules can be configured to extract/derive/infer Time, Location andContext dimensions from/for social signals. Another set of normalizationmodules can be configured to extract/derive/infer Time, Location andContext dimensions from/for Web signals. A further set of normalizationmodules can be configured to extract/derive/infer Time, Location andContext dimensions from/for streaming signals.

Normalization modules for extracting/deriving/inferring Time, Location,and Context dimensions can include text processing modules, NLP modules,image processing modules, video processing modules, etc. The modules canbe used to extract/derive/infer data representative of Time, Location,and Context dimensions for a signal. Time, Location, and Contextdimensions for a signal can be extracted/derived/inferred from metadataand/or content of the signal.

For example, NLP modules can analyze metadata and content of a soundclip to identify a time, location, and keywords (e.g., fire, shooter,etc.). An acoustic listener can also interpret the meaning of sounds ina sound clip (e.g., a gunshot, vehicle collision, etc.) and convert torelevant context. Live acoustic listeners can determine the distance anddirection of a sound. Similarly, image processing modules can analyzemetadata and pixels in an image to identify a time, location andkeywords (e.g., fire, shooter, etc.). Image processing modules can alsointerpret the meaning of parts of an image (e.g., a person holding agun, flames, a store logo, etc.) and convert to relevant context. Othermodules can perform similar operations for other types of contentincluding text and video.

Per signal type, each set of normalization modules can differ but mayinclude at least some similar modules or may share some common modules.For example, similar (or the same) image analysis modules can be used toextract named entities from social signal images and public camerafeeds. Likewise, similar (or the same) NLP modules can be used toextract named entities from social signal text and web text.

In some aspects, an ingested signal includes sufficient expresslydefined time, location, and context information upon ingestion. Theexpressly defined time, location, and context information is used todetermine Time, Location, and Context dimensions for the ingestedsignal. In other aspects, an ingested signal lacks expressly definedlocation information or expressly defined location information isinsufficient (e.g., lacks precision) upon ingestion. In these otheraspects, Location dimension or additional Location dimension can beinferred from features of an ingested signal and/or through referencesto other data sources. In further aspects, an ingested signal lacksexpressly defined context information or expressly defined contextinformation is insufficient (e.g., lacks precision) upon ingestion. Inthese further aspects, Context dimension or additional Context dimensioncan be inferred from features of an ingested signal and/or throughreference to other data sources.

In additional aspects, time information may not be included, or includedtime information may not be given with high enough precision and Timedimension is inferred. For example, a user may post an image to a socialnetwork which had been taken some indeterminate time earlier.

Normalization modules can use named entity recognition and reference toa geo cell database to infer Location dimension. Named entities can berecognized in text, images, video, audio, or sensor data. The recognizednamed entities can be compared to named entities in geo cell entries.Matches indicate possible signal origination in a geographic areadefined by a geo cell.

As such, a normalized signal can include a Time dimension, a Locationdimension, a Context dimension (e.g., single source probabilities andprobability details), a signal type, a signal source, and content.

A single source probability can be calculated by single sourceclassifiers (e.g., machine learning models, artificial intelligence,neural networks, statistical models, etc.) that consider hundreds,thousands, or even more signal features of a signal. Single sourceclassifiers can be based on binary models and/or multi-class models.

FIG. 1A depicts part of computer architecture 100 that facilitatesingesting and normalizing signals. As depicted, computer architecture100 includes signal ingestion modules 101, social signals 171, Websignals 172, and streaming signals 173. Signal ingestion modules 101,social signals 171, Web signals 172, and streaming signals 173 can beconnected to (or be part of) a network, such as, for example, a systembus, a Local Area Network (“LAN”), a Wide Area Network (“WAN”), and eventhe Internet. Accordingly, signal ingestion modules 101, social signals171, Web signals 172, and streaming signals 173 as well as any otherconnected computer systems and their components can create and exchangemessage related data (e.g., Internet Protocol (“IP”) datagrams and otherhigher layer protocols that utilize IP datagrams, such as, TransmissionControl Protocol (“TCP”), Hypertext Transfer Protocol (“HTTP”), SimpleMail Transfer Protocol (“SMTP”), Simple Object Access Protocol (SOAP),etc. or using other non-datagram protocols) over the network.

Signal ingestion module(s) 101 can ingest raw signals 121, includingsocial signals 171, web signals 172, and streaming signals 173 (e.g.,social posts, traffic camera feeds, other camera feeds, listening devicefeeds, 911 calls, weather data, planned events, IoT device data, crowdsourced traffic and road information, satellite data, air quality sensordata, smart city sensor data, public radio communication, etc.) on goingbasis and in essentially real-time. Signal ingestion module(s) 101include social content ingestion modules 174, web content ingestionmodules 175, stream content ingestion modules 176, and signal formatter180. Signal formatter 180 further includes social signal processingmodule 181, web signal processing module 182, and stream signalprocessing modules 183.

Streaming signals 173 can include live video and/or non-live (previouslystored) video.

For each type of signal, a corresponding ingestion module and signalprocessing module can interoperate to normalize the signal along Time,Location, Context (TLC) dimensions. For example, social contentingestion modules 174 and social signal processing module 181 caninteroperate to normalize social signals 171 into TLC dimensions.Similarly, web content ingestion modules 175 and web signal processingmodule 182 can interoperate to normalize web signals 172 into TLCdimensions. Likewise, stream content ingestion modules 176 and streamsignal processing modules 183 can interoperate to normalize streamingsignals 173 into TLC dimensions.

In one aspect, signal content exceeding specified size requirements(e.g., audio or video) is cached upon ingestion. Signal ingestionmodules 101 include a URL or other identifier to the cached contentwithin the context for the signal.

In one aspect, signal formatter 180 includes modules for determining asingle source probability as a ratio of signals turning into eventsbased on the following signal properties: (1) event class (e.g., fire,accident, weather, etc.), (2) media type (e.g., text, image, audio,etc.), (3) source (e.g., twitter, traffic camera, first responder radiotraffic, etc.), and (4) geo type (e.g., geo cell, region, or non-geo).Probabilities can be stored in a lookup table for different combinationsof the signal properties. Features of a signal can be derived and usedto query the lookup table. For example, the lookup table can be queriedwith terms (“accident”, “image”, “twitter”, “region”). The correspondingratio (probability) can be returned from the table.

In another aspect, signal formatter 180 includes a plurality of singlesource classifiers (e.g., artificial intelligence, machine learningmodules, neural networks, etc.). Each single source classifier canconsider hundreds, thousands, or even more signal features of a signal.Signal features of a signal can be derived and submitted to a signalsource classifier. The single source classifier can return a probabilitythat a signal indicates a type of event. Single source classifiers canbe binary classifiers or multi-source classifiers.

Raw classifier output can be adjusted to more accurately represent aprobability that a signal is a “true positive”. For example, 1,000signals whose raw classifier output is 0.9 may include 80% as truepositives. Thus, probability can be adjusted to 0.8 to reflect trueprobability of the signal being a true positive. “Calibration” can bedone in such a way that for any “calibrated score” this score reflectsthe true probability of a true positive outcome.

Signal ingestion modules 101 can insert one or more single sourceprobabilities and corresponding probability details into a normalizedsignal to represent a Context (C) dimension. Probability details canindicate a probabilistic model and features used to calculate theprobability. In one aspect, a probabilistic model and signal featuresare contained in a hash field.

Signal ingestion modules 101 can utilize “transdimensionality”transformations structured and defined in a “TLC” dimensional model.Signal ingestion modules 101 can apply the “transdimensionality”transformations to generic source data in raw signals to re-encode thesource data into normalized data having lower dimensionality.Dimensionality reduction can include reducing dimensionality of a rawsignal to a normalized signal including a T vector, an L vector, and a Cvector. At lower dimensionality, the complexity and resource consumptionof measuring “distances” between dimensional vectors across differentnormalized signals is reduced.

Thus, in general, any received raw signals can be normalized intonormalized signals including a Time (T) dimension, a Location (L)dimension, a Context (C) dimension, signal source, signal type, andcontent. Signal ingestion modules 101 can send normalized signals 122 toevent detection infrastructure 103.

For example, signal ingestion modules 101 can send normalized signal122A, including time (dimension) 123A, location (dimension) 124A,context (dimension) 126A, content 127A, type 128A, and source 129A toevent detection infrastructure 103. Similarly, signal ingestion modules101 can send normalized signal 122B, including time (dimension) 123B,location (dimension) 124B, context (dimension) 126B, content 127B, type128B, and source 129B to event detection infrastructure 103.

Event Detection

FIG. 1B depicts part of computer architecture 100 that facilitatesdetecting events. As depicted, computer architecture 100 includes geocell database 111 and even notification 116. Geo cell database 111 andevent notification 116 can be connected to (or be part of) a networkwith signal ingestion modules 101 and event detection infrastructure103. As such, geo cell database 111 and even notification 116 can createand exchange message related data over the network.

As described, in general, on an ongoing basis and concurrently withsignal ingestion (and also essentially in real-time), event detectioninfrastructure 103 detects different categories of (planned andunplanned) events (e.g., fire, police response, mass shooting, trafficaccident, natural disaster, storm, active shooter, concerts, protests,etc.) in different locations (e.g., anywhere across a geographic area,such as, the United States, a State, a defined area, an impacted area,an area defined by a geo cell, an address, etc.), at different timesfrom Time, Location, and Context dimensions included in normalizedsignals. Event detection infrastructure can likewise detect changes toexisting (planned and unplanned) events. Since, normalized signals arenormalized to include Time, Location, and Context dimensions (vectors),event detection infrastructure 103 can handle normalized signals in amore uniform manner. Handling signals in a more uniform manner increasesevent detection and event change detection efficiency and effectivenessand also reduces resource consumption. For example, Time, Location, andContext vectors of different normalized signals can be compared (insteadof comparing along numerous, and possibly differing and/or non-uniform,other dimensions).

Event detection infrastructure 103 can also determine an eventtruthfulness (e.g., erroneous detection results, detections based ontampered source data, detections of fictional or staged events), eventseverity, and an associated geo cell. In one aspect, context informationin a normalized signal increases the efficiency and effectiveness ofdetermining truthfulness, severity, and an associated geo cell.

Generally, an event truthfulness indicates how likely a detected eventis actually an event (vs. a hoax, fake, misinterpreted, etc.).Truthfulness can range from less likely to be true to more likely to betrue. In one aspect, truthfulness is represented as a numerical value,such as, for example, from 1 (less truthful) to 10 (more truthful) or aspercentage value in a percentage range, such as, for example, from 0%(less truthful) to 100% (more truthful). Other truthfulnessrepresentations are also possible. For example, truthfulness can be adimension and/or can be represented by one or more vectors.

Generally, an event severity indicates how severe an event is (e.g.,what degree of badness, what degree of damage, etc. is associated withthe event). Severity can range from less severe (e.g., a single vehicleaccident without injuries) to more severe (e.g., multi vehicle accidentwith multiple injuries and a possible fatality). As another example, ashooting event can also range from less severe (e.g., one victim withoutlife threatening injuries) to more severe (e.g., multiple injuries andmultiple fatalities). In one aspect, severity is represented as anumerical value, such as, for example, from 1 (less severe) to 5 (moresevere). Other severity representations are also possible. For example,severity can be a dimension and/or can be represented by one or morevectors.

In general, event detection infrastructure 103 can include a geodetermination module including modules for processing different kinds ofcontent including location, time, context, text, images, audio, andvideo into search terms. The geo determination module can query a geocell database with search terms formulated from normalized signalcontent. The geo cell database can return any geo cells having matchingsupplemental information. For example, if a search term includes astreet name, a subset of one or more geo cells including the street namein supplemental information can be returned to the event detectioninfrastructure.

Event detection infrastructure 103 can use the subset of geo cells todetermine a geo cell associated with an event location. Eventsassociated with a geo cell can be stored back into an entry for the geocell in the geo cell database. Thus, over time an historical progressionof events within a geo cell can be accumulated.

As such, event detection infrastructure 103 can assign an event ID, anevent time, an event location, an event category, an event description,an event truthfulness, and an event severity to each detected event.Detected events can be sent to relevant entities, including to mobiledevices, to computer systems, to APIs, to data storage, etc.

Event detection infrastructure 103 detects events from informationcontained in normalized signals 122. Event detection infrastructure 103can detect an event from a single normalized signal 122 or from multiplenormalized signals 122. In one aspect, event detection infrastructure103 detects an event based on information contained in one or morenormalized signals 122. In another aspect, event detectioninfrastructure 103 detects a possible event based on informationcontained in one or more normalized signals 122. Event detectioninfrastructure 103 then validates the potential event as an event basedon information contained in one or more other normalized signals 122.

As depicted, event detection infrastructure 103 includes geodetermination module 104, categorization module 106, truthfulnessdetermination module 107, and severity determination module 108.

Geo determination module 104 can include NLP modules, image analysismodules, etc. for identifying location information from a normalizedsignal. Geo determination module 104 can formulate (e.g., location)search terms 141 by using NLP modules to process audio, using imageanalysis modules to process images, etc. Search terms can include streetaddresses, building names, landmark names, location names, school names,image fingerprints, etc. Event detection infrastructure 103 can use aURL or identifier to access cached content when appropriate.

Categorization module 106 can categorize a detected event into one of aplurality of different categories (e.g., fire, police response, massshooting, traffic accident, natural disaster, storm, active shooter,concerts, protests, etc.) based on the content of normalized signalsused to detect and/or otherwise related to an event.

Truthfulness determination module 107 can determine the truthfulness ofa detected event based on one or more of: source, type, age, and contentof normalized signals used to detect and/or otherwise related to theevent. Some signal types may be inherently more reliable than othersignal types. For example, video from a live traffic camera feed may bemore reliable than text in a social media post. Some signal sources maybe inherently more reliable than others. For example, a social mediaaccount of a government agency may be more reliable than a social mediaaccount of an individual. The reliability of a signal can decay overtime.

Severity determination module 108 can determine the severity of adetected event based on or more of: location, content (e.g., dispatchcodes, keywords, etc.), and volume of normalized signals used to detectand/or otherwise related to an event. Events at some locations may beinherently more severe than events at other locations. For example, anevent at a hospital is potentially more severe than the same event at anabandoned warehouse. Event category can also be considered whendetermining severity. For example, an event categorized as a “Shooting”may be inherently more severe than an event categorized as “PolicePresence” since a shooting implies that someone has been injured.

Geo cell database 111 includes a plurality of geo cell entries. Each geocell entry is included in a geo cell defining an area and correspondingsupplemental information about things included in the defined area. Thecorresponding supplemental information can include latitude/longitude,street names in the area defined by and/or beyond the geo cell,businesses in the area defined by the geo cell, other Areas of Interest(AOIs) (e.g., event venues, such as, arenas, stadiums, theaters, concerthalls, etc.) in the area defined by the geo cell, image fingerprintsderived from images captured in the area defined by the geo cell, andprior events that have occurred in the area defined by the geo cell. Forexample, geo cell entry 151 includes geo cell 152, lat/lon 153, streets154, businesses 155, AOIs 156, and prior events 157. Each event in priorevents 157 can include a location (e.g., a street address), a time(event occurrence time), an event category, an event truthfulness, anevent severity, and an event description. Similarly, geo cell entry 161includes geo cell 162, lat/lon 163, streets 164, businesses 165, AOIs166, and prior events 167. Each event in prior events 167 can include alocation (e.g., a street address), a time (event occurrence time), anevent category, an event truthfulness, an event severity, and an eventdescription.

Other geo cell entries can include the same or different (more or less)supplemental information, for example, depending on infrastructuredensity in an area. For example, a geo cell entry for an urban area cancontain more diverse supplemental information than a geo cell entry foran agricultural area (e.g., in an empty field). Sufficiently precise geocells can be used to increase the practicality of storing matchingcontent.

Geo cell database 111 can store geo cell entries in a hierarchicalarrangement based on geo cell precision. As such, geo cell informationof more precise geo cells is included in the geo cell information forany less precise geo cells that include the more precise geo cell.

Geo determination module 104 can query geo cell database 111 with searchterms 141. Geo cell database 111 can identify any geo cells havingsupplemental information that matches search terms 141. For example, ifsearch terms 141 include a street address and a business name, geo celldatabase 111 can identify geo cells having the street name and businessname in the area defined by the geo cell. Geo cell database 111 canreturn any identified geo cells to geo determination module 104 in geocell subset 142.

Geo determination module can use geo cell subset 142 to determine thelocation of event 135 and/or a geo cell associated with event 135. Asdepicted, event 135 includes event ID 132, time 133, location 137,description 136, category 137, truthfulness 138, and severity 139.

Event detection infrastructure 103 can also determine that event 135occurred in an area defined by geo cell 162 (e.g., a geohash havingprecision of level 7 or level 9). For example, event detectioninfrastructure 103 can determine that location 134 is in the areadefined by geo cell 162. As such, event detection infrastructure 103 canstore event 135 in events 167 (i.e., historical events that haveoccurred in the area defined by geo cell 162).

Event detection infrastructure 103 can also send event 135 to eventnotification module 116. Event notification module 116 can notify one ormore entities about event 135.

Storing Signal and Event Related Data in a Distributed Ledger

FIG. 2 illustrates an example computer architecture 200 that facilitatesstoring signal and event related data in a distributed ledger. Asdepicted, computer architecture 200 includes distributed ledger 231(e.g., a blockchain). Distributed ledger 231 can include a continuouslygrowing list of blocks which are linked and secured using cryptography.Each block can include a cryptographic hash of the previously block, atimestamp, and transaction data (e.g., signals, normalized signals,events, event notifications, event expirations, etc.). For example, link232DC links block 231D back to block 231C and includes a hash of block231C. Link 232 CB links block 231C back to block 231B and includes ahash of block 231B. Link 232 BA links block 231B back to block 231A andincludes a hash of block 231A. Other links connect the depicted blocksto other blocks including in distributed ledger 231.

As depicted, data ingestion modules 101 further include personalinformation scanner/remover 211. Personal information scanner/remover211 can scan raw signals and/or normalized signals for personalinformation. Personal information scanner/remover 211 can stripidentified personal information from raw and/or normalized signals orcan otherwise render identified personal information inert. For example,text can be deleted, portions of an image obscured, or portions of anaudio clip rendered unintelligible.

In one aspect, personal information scanner/remover 211 prevents furtheraccess to virtually all personal information identified in raw signalsand/or normalized signals. In another aspect, personal informationscanner/remover 211 prevents further access to some, but not all,personal information identified in raw signals and/or normalizedsignals. For example, personal information usable to formulate atemporal identifier for a signal source can remain in a signal.

Data ingestion modules 101 can store raw signals and normalized signals,with at least some personal information removed, in one or more blocksof distributed ledger 231. Data ingestion modules 101 can store anormalized signal along with an indication of the corresponding rawsignal from which the normalized signal was derived. Data ingestionmodules 101 can also send normalized signals, with at least somepersonal information removed, to event detection infrastructure 103.

Personal information scanner/remover 211 can be included in, integratedwith, and/or interoperate with other modules of data ingestions modules101 including social content ingestion modules 174, web contentingestion modules 175, stream content ingestion modules 176, signalformatter 180, social signal processing modules 181, web signalprocessing modules 182, and stream signal processing modules 183. Assuch, data ingestion modules 101 can scan for, identify, and preventfurther access to personal information at virtually any stage of, andpossibly at multiple different stages, of signal normalization.

Generally, event detection infrastructure 103 can detect events, notifyentities of occurring events, and track when events expire. As depicted,event detection infrastructure 103 further includes personal informationscanner/remover 213, hash module 248, and hash storage 252. Personalinformation scanner/remover 213 can strip identified personalinformation from any of normalized signals, detected events, eventnotifications, event expirations, etc. or can otherwise renderidentified personal information inert. For example, text can be deleted,portions of an image obscured, or portions of an audio clip renderedunintelligible.

In one aspect, personal information scanner/remover 213 prevents furtheraccess to virtually all personal information in normalized signals,detected events, event notifications, event expirations, etc. In anotheraspect, personal information scanner/remover 213 prevents further accessto some, but not all, personal information in normalized signals,detected events, event notifications, event expirations, etc. Forexample, personal information can be transformed into a temporalidentifier for a signal source.

Event detection infrastructure 103 can store normalized signals,detected events, event notifications, event expirations, etc., with atleast some personal information removed, in one or more blocks ofdistributed ledger 231. Event detection infrastructure 103 can store adetected event along with an indication of one or more normalizedsignals associated with the detected event (with personal informationstripped from the detected event and the one or more normalizedsignals). Event detection infrastructure 103 can store eventnotifications and event expirations in one or more blocks of distributedledger 231. Event detection infrastructure 103 can also send eventnotifications and event expirations to relevant entities.

Personal information scanner/remover 211 and/or personal informationscanner/remover 213 can include various analysis modules for analyzingdifferent types of content for personal information. For example,personal information scanner/remover 211 and/or personal informationscanner/remover 213 can include text analysis modules, audio analysismodules, image analysis modules, video analysis modules, etc. Audioanalysis modules can analyze sound clips for personal information, imageanalysis modules can analyze images for personal information, textmodules can analyze text for personal information, etc.

In some aspects, personal information is detected from different partsof a portion of content (e.g., different parts of an image) consideredin the aggregate. In other aspects, personal information is detectedfrom parts of different portions of content (e.g., text and an image).The analysis modules can remove detected personal information fromsignal content or render the personal information otherwise inert. Forexample, text can be deleted, portions of an image obscured, or portionsof an audio clip rendered unintelligible.

Hash module 248 is configured to identify (e.g., social media) profileidentifiers contained in normalized signals. Hash module 248 can use ahashing algorithm to hash the profile identifier into a hash (e.g., atemporal identifier). The temporal identifier can be stored in hashstorage 252 and the profile identifier removed from the normalizedsignal. As such, event detection infrastructure 103 can store a detectedevent, including the temporal identifier, along with an indication ofcorresponding normalized signals from which the event was detected andwith other personal information stripped out (or otherwise renderedinert) in one or more blocks of distributed ledger 231.

Subsequently, hash module 248 can identify another (e.g., social media)profile identifier contained in another normalized signal. Hash module248 uses the hashing algorithm to hash the other profile identifier intoanother hash (i.e., another temporal identifier). Hash module 248compares the hash to the other hash. If the hashes match, hash module248 considers the normalized signal and other normalized signal to haveoriginated from the source. As such, the event detection infrastructuretreats the normalized signal and other normalized signal as a singlenormalized signal (and thus reduces the contribution of the othernormalized signal to any events detected based on the signal). Eventdetection infrastructure 103 can also store a linkage between normalizedsignals originating from the same source in one or more blocks ofdistributed ledger 231.

The lifetime of a detected event can vary. In one aspect, the lifetimeof an event is between 15 and 120 minutes. For example, police presenceat a location (can range from a few minutes to a couple hours (e.g., toclear an accident). In another aspect, the lifetime of an event isbetween 5 minutes and a day. For example, a protest may last an entireday. Events can also be multi-day ongoing events. Thus, in a furtheraspect, the lifetime of an event is between 1 minute and 1 week (or evenlonger). For example, natural disasters can last for days (e.g.,hurricanes) or weeks (e.g., forest fires). Event detectioninfrastructure 103 can maintain a hash (or other temporal identifier)for some amount of time (e.g., 5, 10, or 15 minutes) after the lifetimeof an event expires. Event detection infrastructure 103 can also storean indication of when a detected event expired in one or more blocks ofdistributed ledger 231. Hash module 248 can remove a corresponding hashfrom hash storage 152 when an event expires.

Accordingly, contents of distributed ledger 231 provide sufficientinformation for tracing the evolution of a detected event from initiallyreceived raw signals to event detection through to event expiration.

Personal information scanner/remover 213, hash module 248, and hashstorage 252 can be included in, integrated with, and/or interoperatewith other modules of event detection infrastructure 103 including geodetermination module 104, categorization module 106, truthfulnessdetermination module 107, and severity determination module 108. Assuch, event detection infrastructure 103 can scan for, identify, andprevent further access to personal information at virtually any stageof, and possibly at multiple different stages, of event detection, eventnotification, and event expiration.

In one aspect, one or more signal sources independently store rawsignals in distributed ledger 231. A signal source can store raw signalsin distributed ledger 231 in combination with or in the alternatively tosending raw signals to data ingestion modules 101. For example, one ormore signal sources can store raw signals 221A (a subset of raw signals121) in distributed ledger 231. When appropriate, data ingestion modules101 can access raw signals from distributed ledger 231 fornormalization.

FIG. 3 illustrates a flow chart of an example method 300 for storingsignal and event related data in a distributed ledger. Method 300 willbe described with respect to the components and data in computerarchitecture 200.

Method 300 includes receiving one or more raw signals (301). Forexample, data ingestion modules 101 can receive raw signals 121B (asubset of raw signals 121). Method 300 includes storing the one or moreraw signals in a distributed ledger (302). For example, data ingestionmodules 101 can store raw signals 221B in in one or more blocks ofdistributed ledger 231. In one aspect, personal informationscanner/remover 211 strips (or renders otherwise inert) at least somepersonal information from one or more of raw signals 221B prior tostorage.

Method 300 includes formulating one or more normalized signals from theone or more raw signals (303). For example, data ingestion modules 101can formulate normalized signals 222 from raw signals 221B. Method 300includes storing the one or more normalized signals in the distributedledger (304). For example, data ingestion modules 101 can storenormalized signals 222 in one or more blocks of distributed ledger 231.In one aspect, personal information scanner/remover 211 strips (orrenders otherwise inert) at least some personal information from one ormore of normalized signals 222 prior to storage.

Method 300 includes detecting an event from the one or more normalizedsignals (305). For example, event detection infrastructure 103 candetect event 223 from normalized signals 222. Method 300 includesstoring the event in the in the distributed ledger (306). For example,event detection infrastructure 103 can store event 223 in one or moreblocks of distributed ledger 231. In one aspect, personal informationscanner/remover 213 strips (or renders otherwise inert) at least somepersonal information included in event 223 prior to storage.

Method 300 includes creating an event notification for the event (307).For example, event detection infrastructure 103 can create eventnotification 226 for event 223. Method 300 includes storing the eventnotification in the distributed ledger (308). For example, eventdetection infrastructure 103 can store event notification 226 in one ormore blocks of distributed ledger 231. Method 300 includes sending theevent notification to at least one entity (309). For example, eventdetection infrastructure 103 can send notification 226 to an entity. Inone aspect, personal information scanner/remover 213 strips (or rendersotherwise inert) at least some personal information included innotification 226 prior to storage and/or sending to an entity.

Subsequently, when event 223 expires, event detection infrastructure 103can formulate event expiration 224. Event detection infrastructure 103can store event expiration 224 in one or more blocks of distributedledger 231 and send event expiration 224 to the entity. In one aspect,personal information scanner/remover 213 strips (or renders otherwiseinert) at least some personal information included in event expiration224 prior to storage and/or sending to an entity.

Validating An Event

Upon receiving notification of an event, a notified entity may wish toverify an event prior to allocating resources to address the event. FIG.4 illustrates an example computer architecture 400 that facilitatesvalidating an event. As depicted, computer architecture 400 furtherincludes audit module 401 and entity 411. Audit module 401 includesquery module 402 and investigative module 403.

Audit module 401 can access data from distributed ledger 231 to verifyevents as well as investigate, diagnose, and remediate detectedinconsistencies or errors in any of raw signals, normalized signals,events, event notifications, and event expirations. Query module 402 canquery distributed ledger 231 for ledger data related to a detected eventor related to an indicated inconsistency or error (e.g., a time zoneglitch, language parsing error, etc.). Distributed ledger 231 can returnledger data back to query module 402.

Investigative module 403 can use ledger data to attempt to recreate adetected event or set of activities that led to the inconsistency orerror. In one aspect, investigative module 403 follows the evolution ofan event from raw signal reception through to event detection tovalidate an event.

For example, investigative module 403 can simulate (recreate)normalization a set of raw signals into a corresponding set ofnormalized signals. Investigative module 203 can then compare thesimulated (recreated) set of normalized signals to the actual normalizedsignals contained in distributed ledger 231. Investigative module 403can then simulate (recreate) detection of an event from a set ofnormalized signals. Investigative module 203 can then compare thesimulated (recreated) event to the actual event. When simulated(recreated) data does not match actual data, further measures can betaken to determine and/or correct the cause of a mismatch.

When signal sources store raw signals (e.g., raw signals 221) directlyto distributed ledger 231. Data ingestion module(s) 101 can use auditmodule 401 to validate the integrity of raw signals received from thesignal sources.

FIG. 5 illustrates a flow chart of an example method 500 for validatingan event. Method 500 will be described with respect to the componentsand data depicted in computer architecture 400.

Method 500 includes receiving an event notification, the eventnotification notifying an entity of the occurrence of an event ofinterest to the entity, the event detected from one or more normalizedsignals, each normalized signal normalized from a corresponding rawsignal (501). For example, event detection infrastructure 103 canformulate event notification 428 to notify an entity about event 416.Event detection infrastructure 103 can send event notification 428 toentity 411. Entity 411 can receive event notification 428 from eventdetection infrastructure 103. Event notification 428 can notify entity411 of event 416 (an event of interest to entity 411). Event 416 can bean event that was detected from one or more normalized signals (e.g., innormalized signals 222) that were normalized from corresponding rawsignals (e.g., in raw signals 221A and/or in raw signals 221B). It maybe that ingestion modules 101 previously stored the one or more rawsignals and the one or more normalized signals in distributed ledger231. It may also be that event detection infrastructure 103 previouslystored event 416 in distributed ledger 231.

Entity 411 can control resources with capabilities to mitigate physicaldanger associated with event 416. For example, a fire department canhave resources (e.g., fire trucks, fire fighters, etc.) capable ofextinguishing a fire. However, entity 411 may be hesitant to deploy suchresources without verification of event 416.

Method 500 includes auditing the event notification (502). For example,audit module 401 can audit event notification 428.

Auditing the event notification includes accessing a distributed ledgercontaining: one or more raw signals used to derive the one or morenormalized signals, the one or more normalized signals, the event, andthe event notification (503). For example, entity 411 can send eventverification request 427 to audit module 401. Query module 402 canformulate query 411 (a query for ledger data related to eventnotification 428) from event verification request 427. Query module 402can send query 411 to distributed ledger 231. In response to query 411,distributed ledger 231 can return ledger data 412 including raw signals413, normalized signals, 414, and event 417. Any of signals 413,normalized signals, 414, and event 417 can have at least some personalinformation stripped or otherwise rendered inert.

Raw signals 413 can be raw signals allegedly used to derive normalizedsignals 414. Normalized signals 414 can be normalized signals allegedlyused to detect event 417. Event 417 can be an event that allegedlytriggered creating and sending event notification 428.

Auditing the event notification includes verifying the integrity of theone or more raw signals, the one or more normalized signals, the event,and the event notification through reference to the distributed ledger(504). For example, investigative module 403 can verify the integrity ofraw signals 413, normalized signals 414, event 417, and eventnotification 428.

To verify raw signals 413, investigative module 403 can simulate(recreate) normalizing raw signals 413 into normalized signals.Investigative module 403 compares the simulated (recreated) normalizedsignals to normalized signals 414. Investigative module 403 verifies theintegrity of raw signals 413 when the simulated (recreated) normalizedsignals match normalized signals 414.

To verify normalized signals 414, investigative module 403 can simulate(recreate) detecting an event from normalized signals 414. Investigativemodule 403 compares the simulated (recreated) detected event to event417. Investigative module 403 verifies the integrity of normalizedsignals 414 when the simulated (recreated) detected event matches event417.

To verify event 416, investigative module 403 can compare event 416 toevent 417. Investigative module 403 verifies the integrity of event 416when event 416 matches event 417.

To verify event 416, investigative module 403 can also simulate creating(recreate) an event notification for event 416. Investigative module 403compares the simulated (recreated) event notification to eventnotification 428. Investigative module 403 verifies the integrity ofevent notification 428 when the simulated (recreated) event notificationmatches event notification 428.

Thus, investigative module 403 essentially traces the evolution of event416 from raw signals 413 through normalized signals 414 to eventdetection based on ledger data 412. Audit module 401 can returnverification 431 to entity 411. Verification 431 indicates thatinvestigative module 403 verified the integrity of raw signals 413,normalized signals 414, and event 416. Entity 411 can receiveverification 431 from audit module 401.

Method 500 includes allocating a resource of the entity based on beingnotified of the occurrence of the event and the verified integrity ofthe one or more raw signals, the one or more normalized signals, theevent, and the event notification (505). For example, entity 411 canallocate resource 429 in response to receiving event notification 428and verification 431. In one aspect, resource 429 and/or allocation ofresource 429 is tailored to event 416 based on characteristics of event416, such as, for example, location, description, severity, category,etc. Resource 429 can be a physical resource, such as, a patrol vehicle,an ambulance, first responder personnel, search and rescue, etc.

Investigative module 403 can include additional algorithms foridentifying errors, inconsistencies, etc. between ledger data and otherevent related data. Additional algorithms can be invoked when simulatednormalized signals, events, event notifications, event expirations, etc.do not match actual normalized signals, events, event notifications,event expirations, etc.

The present described aspects may be implemented in other specific formswithout departing from its spirit or essential characteristics. Thedescribed aspects are to be considered in all respects only asillustrative and not restrictive. The scope is, therefore, indicated bythe appended claims rather than by the foregoing description. Allchanges which come within the meaning and range of equivalency of theclaims are to be embraced within their scope.

What is claimed:
 1. A computer-implemented method of validating eventnotifications in a distributed ledger, the computer-implemented methodcomprising: receiving an event notification, wherein the eventnotification notifies an entity of the occurrence of an event ofinterest to the entity detected from one or more normalized signals, andwherein each normalized signal is normalized from a corresponding rawsignal; auditing the event notification, including: accessing thedistributed ledger containing: one or more raw signals used to derivethe one or more normalized signals, the one or more normalized signals,the event, and the event notification, wherein accessing the distributedledger comprises accessing a Blockchain; and verifying the integrity ofthe one or more raw signals, the one or more normalized signals, theevent, and the event notification through reference to the distributedledger, including: simulating detection of a simulated event from theone or more normalized signals, and comparing the event to the simulatedevent; and allocating a first responder resource of the entity based onbeing notified of the occurrence of the event and based on the integrityverification.
 2. The method of claim 1, further comprising strippingpersonal information from the one or more raw signals and storing theone or more raw signals in the distributed ledger.
 3. The method ofclaim 1, further comprising stripping personal information from the oneor more normalized signals and storing the one or more normalizedsignals in the distributed ledger.
 4. The method of claim 1, furthercomprising stripping personal information from the event and storing theevent in the distributed ledger.
 5. The method of claim 1, furthercomprising stripping personal information from the event notification.6. The method of claim 1, further comprising: creating an eventexpiration for the event; and storing the event expiration in thedistributed ledger.
 7. The method of claim 1, wherein verifying theintegrity of the one or more raw signals, the one or more normalizedsignals, the event, and the event notification through reference to thedistributed ledger comprises: simulating normalization of the one ormore raw signals into one or more simulated normalized signals; andcomparing the one or more normalized signals to the one or moresimulated normalized signals.
 8. A system of validating eventnotifications in a distributed ledger, the system comprising: aprocessor; system memory coupled to the processor and storinginstructions configured to cause the processor to: receive an eventnotification, wherein the event notification notifying an entity of theoccurrence of an event of interest to the entity detected from one ormore normalized signals, and wherein each normalized signal isnormalized from a corresponding raw signal; audit the eventnotification, including: access the distributed ledger containing: oneor more raw signals used to derive the one or more normalized signals,the one or more normalized signals, the event, and the eventnotification, wherein accessing the distributed ledger comprisesaccessing a Blockchain; and verify the integrity of the one or more rawsignals, the one or more normalized signals, the event, and the eventnotification through reference to the distributed ledger, including:simulate detection of a simulated event from the one or more normalizedsignals; and compare the event to the simulated event; and allocate afirst responder resource of the entity based on being notified of theoccurrence of the event and based on the integrity verification.
 9. Thesystem of claim 8, further comprising instructions configured to strippersonal information from the one or more raw signals and store the oneor more raw signals in the distributed ledger.
 10. The system of claim8, further comprising instructions configured to strip personalinformation from the one or more normalized signals and store the one ormore normalized signals in the distributed ledger.
 11. The system ofclaim 8, further comprising instructions configured to strip personalinformation from the event and store the event in the distributedledger.
 12. The system of claim 8, further comprising instructionsconfigured to strip personal information from the event notification.13. The system of claim 8, wherein instructions configured to verify theintegrity of the one or more raw signals, the one or more normalizedsignals, the event, and the event notification through reference to thedistributed ledger comprises instructions configured to: simulatenormalization of the one or more raw signals into one or more simulatednormalized signals; and compare the one or more normalized signals tothe one or more simulated normalized signals.
 14. The system of claim 8,wherein instructions configured to access a distributed ledger compriseinstructions configured to access a blockchain.
 15. The system of claim8, wherein instructions configured to allocate a resource compriseinstructions configured to allocate a first responder resource.